Hi Ondřej,
> On 27. Feb 2024, at 16:43, Ondřej Surý wrote:
>
> Carsten, could you please fill a feature request in the GitLab?
Done, #4606.
Greetings
Carsten
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Hi Jim,
> On 27. Feb 2024, at 16:39, Jim P. via bind-users
> wrote:
>
> There should also be an option to display the current configuration in
> specific detail to easily create a new KASP (side question: why does DNS
> need a new acronym?)
The term “KASP” for “Key-and-signing-policy” has
Hi Matthijs,
On 27 Feb 2024, at 15:54, Matthijs Mekking wrote:
> - When migrating to dnssec-policy, make sure the configuration matches your
> existing keys.
the most problems I've seen so far have to do with this step: admins "think"
they have created a configuration that matches the current
Hi,
I have a situation where in a BIND 9 zone with dnssec-policy and
inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire.
Although the timing metadata shows the retire and deletion dates in the past,
the ZSK is still in the zone and is signing the records (along with the
DNSSEC
signed split horizon setup?
Greetings
Carsten Strotmann
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
Hi Chris,
Chris Buxton writes:
[[PGP Signed Part:Undecided]]
Hi Carsten,
From our reading of the code, it appears that when the buffer
fills
up, it refuses to accept new entries. Older events are not
overwritten, but newer events are refused. The
fstrm_iothr_submit()
function can return
Hi,
how can a BIND 9 operator detect an DNSTAP overload condition?
My understanding is that BIND 9 worker threads write DNSTAP
information
into a circular buffer in memory, which is that read by a
different
thread to write out the data (to file or socket).
Is there any indication to the
Hello Richard,
"Parkin, Richard (R.)" writes:
Hello!
We recently re-addressed some of our external-facing cache
servers into a new network and discovered that our IPs
appear to be blackholed going to certain third-party auth
servers, either intentionally or unintentionally. Our
Hi,
does anyone know about the status of the zytrax.com website and the
excellent "DNS for Rocket Scientists" guide?
The webpage first had a x509 certificate error (expired) in December
2020 and now the web server is unreachable.
I (and colleagues) have tried to reach Ron Aitchison by mail
Hello Stefano,
Chiesa, Stefano writes:
> Hello all.
> I manage several BIND 9.10.4-P8 servers with more of less 600 DNS zones.
> Anyway I never used wildcard DNS record and I hope you can help me to
> understand.
>
> The need is:
> * I have a dns zone i.e.
Hello Stephane,
Stephane Bortzmeyer <bortzme...@nic.fr> writes:
> On Tue, Mar 13, 2018 at 10:52:50AM +0100,
> Carsten Strotmann <c...@strotmann.de> wrote
> a message of 19 lines which said:
>
>> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078)
Hi,
is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) already
support at the TLD level somewhere? I know it is implemented in BIND
9.11+ and Knot, but can it be used in the real Internet :)
I searched the usual places but cannot find any information indicating
support at TLD
Hi,
here is a question I've got during a DNS training, and I still do not
have a good answer:
RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
negative responses".
; << DiG 9.10.3-P4-Ubuntu << +noall +answer +multi +cmd soa
example.com ;; global options:
Hi,
I'm doing some performance tests on some modern Haswell CPU machines (20
cores) using Ubuntu Linux 14.04 (Kernel 3.13.0-46-generic) using BIND
9.10.1-P2 compiled with --with-tuning=large.
With using 8 worker threads I get near 400K QPS via IPv4 UDP (from a hot
cache without resolving), which
Hello Shumon,
Shumon Huque shu...@gmail.com writes:
On Sat, Feb 21, 2015 at 7:35 AM, Carsten Strotmann c...@strotmann.de
wrote:
Hi,
I'm trying to build an automated update system for OPENPGPKEY records
with BIND 9 9.9.6-P2 and nsupate.
I've verified the TSIG keys, I can add
).
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
Addition: this is how the nsupdate line for the record looks like
add
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. IN
TYPE61 \# 3340 99020d[]
The RDATA size after \# seems to be correct.
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
this be an buffer issue?
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
. Could you give a link to additional information or could you
explain the issue with NSEC3 salt in other words?
Best regards
Carsten
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo
-generating all RRSIGs is not a
problem), I would recommend to roll the salt in the same intervals, but
independent from the ZSK rollover.
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: dnsworkshop.org
___
Please visit https://lists.isc.org/mailman/listinfo
-P2.x64.zip
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: dnsworkshop.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
/9.9.3-P2/
Best regards
Carsten
--
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
Jean-François Leroux leroux.jeanfranc...@gmail.com writes:
Hi,
must be a stupid question but I hadn't noticed before that some
queries in my server are labelled like that
query IN A -ED (or EDC, or EC)
What does this mean ?
you'll find the documentation for query-log entries
Hello Jeronimo,
Jeronimo L. Cabral jelocab...@gmail.com writes:
Dear, we have several hosts in our LAN that ask our BIND DNS: Debian,
Windows 7, Red Hat and CentOS.
If we implement DNSSEV validation support in our BIND9 server...how
can I know if our hosts' resolvers are compatible with
Hello Evan,
Evan Hunt e...@isc.org writes:
On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote:
there could be a hard-link from a name like tsig-keygen to
dnssec-keygen which changes the type of key created to -n HOST. That
would not require any change to the existing interface
Hi Evan,
Evan Hunt e...@isc.org writes:
On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
I agree that it might be nice to change dnssec-keygen to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth
Hello Evan,
Evan Hunt e...@isc.org writes:
there could be a hard-link from a name like tsig-keygen to
dnssec-keygen which changes the type of key created to -n HOST. That
would not require any change to the existing interface. Just an idea.
Thanks, Carsten. I had actually had the same
Gaurav Kansal gaurav.kan...@nic.in writes:
I was wondering if HMAC* keys are not used for zone then why the same
is displayed when we use dnssec-keygen -h.
the tool dnssec-keygen can be used to create both zone keys (with
-n ZONE) for DNSSEC zone signing, and host keys (with -n HOST) for
TSIG
Hi Markus,
Markus Weber bumpemacve...@googlemail.com writes:
Choose sane SOA values. refresh and retry expire
I will check these values, i thought they were kind of standard values
the default SOA values on a MS DNS Server are well and good for
dynamic, internal, AD integrated DNS
Hi Chris,
Chris Buxton cli...@buxtonfamily.us writes:
I’d bet that the package from Men Mice includes this script or an
equivalent workaround. When I wrote the original script I wrote about
above, I worked at Men Mice.
Your script or the sleep timer is not in the package anymore, but maybe
to configure in BIND, only you need a BIND DNS
Server acting as a cache server. A client should never directly talk to
a authoritative (only) DNS Server. It should always go through an
intermediate caching.
Best regards
Carsten Strotmann
Chiesa Stefano stefano.chi...@wki.it writes:
Hello all.
I
Hi Sean,
Sean Channel schan...@isc.org writes:
Thanks for the MM package, this is fantastic! On the critical side,
the package BOM only lists an extinct tarball instead of the actual
files and directories in the package. Just a nit pick, apologies:
yes, that is a historical artifact from
servers.
named -V gives you the compile switches used to compile your current
BIND. If you use the very same switches during compiling 9.8.6, you
should get a new BIND that matches your existing setup and is a
drop-in replacement.
Best regards
Carsten Strotmann
Eduardo Bonsi beart...@pacbell.net writes:
Menandmice have some pre-compiled packages updates for these systems.
http://support.menandmice.com/download/bind/
GNU-kfreebsd/
illumian/
kGNUfreebsd/
linux/
macosx/
solaris/
(as the one compiling the BIND packages @ Men Mice):
other users, but I need to confirm this on a lab environment.
The Men Mice BIND MacOS X installers at currently fail on MacOS X
10.9, because /var/named is not there. I'm working on updating the Men
Mice packages to work on MacOS X 10.9.
Best regards
Carsten Strotmann
.
Please report any issues with this installers to me.
Best regards
Carsten Strotmann
Eduardo Bonsi beart...@pacbell.net writes:
I want to confirm what Carsten said here;
I just performed an upgrade from Snow Leopard, 10.6.8 one day before
Yesterday. The upgrade itself went fine except for BIND
Hi,
Kevin Darcy k...@chrysler.com writes:
Are these queries mostly for names in an Active Directory domain? The
default for Active Directory is for *every* Domain Controller to
register NS records at the apex of the AD domain. Pretty soon, for any
reasonably-sized AD infrastructure, all of
Hello John,
jo...@primebuchholz.com writes:
What I am I missing here? /var/named/var/run and
/var/named/var/run/named
have group write permissions, so it seems it *shouldn't* be
complaining,
and the resulting files should've been owned by named, shouldn't they?
If you are running
Hi Normal,
Norman Fournier nor...@normanfournier.com writes:
ns2:~ norman$ apachectl -t
Syntax OK
ns2:~ norman$ apachectl restart
launchctl: CFURLWriteDataAndPropertiesToResource
(/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10
ns2:~ norman$ apachectl start
launchctl:
Hello Norman,
Norman Fournier nor...@normanfournier.com writes:
I posted this to httpd.apache.org but have not had any response, so I
think it may be more related to BIND than DNS. Apologies for the
cross-post.
the information you give is not enough to debug the problem or even to
have a
.
That is a good idea, for multiple reasons.
I don't had time to prepare examples for my suggestions here, but I
could come up with config examples if you would like to see them.
Best regards
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman
Hello Jay,
Jay Ford jay-f...@uiowa.edu writes:
I just upgraded BIND on a Linux-based server from 9.8.3-P3 to 9.8.4.
I started getting a bunch of RSA_verify errors, as has been
discussed on this list. Is there a 9.8 release which quells those
messages, or is hacking
the source
error and then
look for the next.
Best regards
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
Hello Feng,
Feng He fen...@nsbeta.info writes:
I upgraded my BIND from 9.7 to 9.9.
For BIND 9.7 all zone files under /var/cache/bind are clear textes.
But under BIND 9.9 it seems the zone files are binary format.
So how can we check the content of zone files now?
you can use
output give you information how many queries are
received for normal DNS zones (view _default) and the special build in
zone (view _bind).
Best regards
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
Hello Ben,
benjamin fernandis benjo11...@gmail.com writes:
Hi,
As per my understanding, if we change anything in named.conf and then
if we require to enable changes without service restart, we go with
rndc reconfig.
So i tried it but it does not work.
rndc reconfig does only very
the dedicated TTLs on each individual resource record
using the nsupdate tool.
Best regards and a good new year!
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
need to configure the zone
as a dynamic zone (using update-policy or allow-update statements).
If the client is not in your own networks, someone in the remote network
has (mis-)configured the client to be inside the test-zone.in domain.
Best regards
Carsten Strotmann
Hello Alexander,
Alexander Gurvitz a...@net-me.net writes:
Carsten,
The script in my original question (it's in the P.S. at the bottom of
my first mail) seem to work for me.
Ahh, thanks, my Emacs was hiding that :)
(I can't decide which one is better: bind.conf, bind9.conf or
is usually not the issue.
Best regards
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Phil Mayers p.may...@imperial.ac.uk writes:
On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:
I'm a bit confused by a user request. I think he is trying to keep some
hosts on the private side of DNS, but he wants to use a DNS name like
host.sub.local. I do not know of the use of the .local
Hello Phil,
Phil Mayers p.may...@imperial.ac.uk writes:
On 10/24/2012 10:17 PM, Carsten Strotmann wrote:
my experience is that it is safe to place clients in either a DNS domain
with the same name as the AD domain, or in a subdomain of the AD
domain.
What does place mean, exactly
Hello Martin,
Martin McCormick mar...@dc.cis.okstate.edu writes:
I described a case where one of our remote campuses can't
resolve a number of remote domains. One example is noaa.gov. It
also successfully resolves random remote domains without
seemingly any rime or reason.
Here is a
Hello Aaron,
Aaron Thompson athomp...@berklee.edu writes:
I have little experience in the AD arena for DNS/DHCP. Without being
a too loaded question, with your experience is it possible or common
to have a very knowledgeable understanding of the performance and
health of an AD system
it appear flat creates problems.
--
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
.
Pick you choice -- easy live vs. understanding
and fun :)
Carsten Strotmann
Men Mice
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
Hello James,
James Tingler james.ting...@contr.netl.doe.gov writes:
E.g.
Sep 17 15:32:01 PROD55-DNS2 named[27503]: error (network unreachable)
resolving 'www.amazon.com/A/IN': 2610:a1:1017::1#53
Sep 17 15:32:08 PROD55-DNS2 named[27503]: error (network unreachable)
resolving
Hello James,
James Tingler james.ting...@contr.netl.doe.gov writes:
Thanks for the reply Carsten. This didn't make a difference but
potentially I'm using the parameter incorrectly (no errors though).
/etc/rc.d/init.d/named start -4
no, it does not work that way.
Ayca Taskin (Garanti Teknoloji) ayc...@garanti.com.tr writes:
Hi,
Im using BIND 9.6.1-P3 and want to upgrade BIND 9.9.1-P3 on Solaris. What are
your advices about upgrade and migration, to 9.9.1-P3, is there any guide for
this?
Whenever you upgrade to a new version of BIND (esp. when it
pangj pa...@riseup.net writes:
Thanks.
bogon:~ pro$ named -v
BIND 9.7.3-P3
This does have been installed.
For a more recent version of BIND (9.8.x or 9.9.x), there are MacOS X
installers of new
versions at
http://support.menandmice.com/download/bind/macosx/
-- Carsten
Ryan Novosielski novos...@umdnj.edu writes:
FWIW, 9.6 ships with Solaris 10.
current BIND release installer packages for Solaris 10 (Sparc and i86pc)
can be found at http://support.menandmice.com/download/bind/solaris/
I'm also willing to build current BIND 9 packages for Solaris 8 or 9, but
Jeff Justice listacco...@starionline.com writes:
Hi Jeff,
I am trying to mask our DNS servers version output to a custom string,
but it doesn't seem to be working for me. In a nutshell, I have added
this to my options block of my named.conf:
version [DNS Server];
But when I do a
Hello Alberto,
On Sat, 4 Aug 2012, Alberto Rasillo wrote:
Hi what are recomendations regarding security and DNS service?Thnks
it is difficult (impossible?) to answer such a generic question.
Generic security advice for a DNS service:
* read your DNS servers documentation carefully
*
, but that is another
issue).
Best regards
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Ben,
On 7/12/12 10:32 AM, Ben wrote:
Still, my question is open..
I'm not from ISC, but I have an idea what causes this (but I'm not an
authoritative source). You can look up the BIND source code.
Every caching DNS Server (BIND or other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello John,
On 6/29/12 4:52 PM, John Williams wrote:
The purpose behind this is not to protect the internal AD DNS from
hijacking. But rather to allow internal clients to run DNSSEC
related queries without having to reference external resolvers.
Hello JT,
I'm currently working on integrating MS DNSSEC (on Windows 2012) and
BIND here @ Men Mice for another customer.
I might have a solution for you, but I need more detail information about
your setup. I will contact you by E-Mail on Monday (I hope that is not too
late).
-- Carsten
: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
I have no explanation of this issue at the moment.
To my knowledge Google is using a homegrown DNS resolver, not BIND.
Best regards
Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version
IN A 207.46.55.10
;; Query time: 37 msec
;; SERVER: 94.245.124.49#53(94.245.124.49)
;; WHEN: Sun Jun 24 10:00:54 2012
;; MSG SIZE rcvd: 228
Having AD-Flag set on an non-DNSSEC zone might be a protocol
violation, and that might be the cause of FORMERR.
Best regards
Carsten
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote:
It might even be a new Windows 2012 DNS server, and it might be an
issue with this new version. This is just speculation, but if it is
an issue with Windows 2012 DNS, it might
informed Microsoft about the issue.
Best regards
Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/le38ACgkQsUJ3c
rcvd: 60
If some other members of this mailing list also see the same FORMERR
(I'm seeing it over IPv4+IPv6), that is is very likely a firewall or
middlebox on the Microsoft side.
Best regards
Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools
from a test, and have not been
properly removed when the IP addresses of the domain controller has
been changed.
Best regards
Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/1/12 1:18 PM, DNSbed.com wrote:
On Sun, 1 Jan 2012 13:05:41 +0100, Jan-Piet Mens
jpmens@gmail.com wrote:
Has anyone tried the new features of rndc addzone|delzone with
BIND-9.7? Will the zone added|deleted get transfered between
master
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/31/11 8:09 AM, Ken Peng wrote:
Today I setup a new name system, BIND 9.7.3 with multi-views, zone
transfer are going based on different TSIG-Keys. I have found a
strange problem that when I edited the zone file, anded a record,
increased
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
because it was a recurring question in the ISC/Men Mice DNSSEC
trainings this year, I've taken some time to write down my knowledge
on NSEC3 use of the salt and iteration parameters:
76 matches
Mail list logo